Skip to content

NetTCPConnect

Intro

NetTCPConnect - An event that monitors the connect() system call, providing detailed information about destination addresses including DNS resolutions.

Description

NetTCPConnect is a high-level event derived from the underlying security_socket_connect LSM (Linux Security Module) hook. This event is triggered whenever the connect() system call is invoked in the system, capturing attempts by sockets to establish a connection.

Unlike direct kernel probes, this LSM-based approach is not susceptible to Time-Of-Check to Time-Of-Use (TOCTOU) race conditions, making it a reliable source for monitoring socket connections.

Arguments

  1. dstIP (string): The destination IP address to which the socket is attempting to connect. 2. dstPort (int): The port number at the destination.
  2. results ([]string): DNS resolutions made to the destination IP, providing contextual information about the connection attempt.

Origin

Derived from security_socket_connect

Source

This event is derived from the security_socket_connect LSM hook. The LSM framework provides a way to track and control various aspects of system behavior, and security_socket_connect specifically monitors socket connection attempts.

Purpose

The purpose of deriving NetTCPConnect from security_socket_connect is to provide a more user-friendly and context-enriched view of socket connection attempts. This includes not only the basic connection details but also DNS resolution information, offering a comprehensive overview of network activities for security monitoring.

Example Use Case

NetTCPConnect can be used by security applications to monitor and log all outbound connection attempts in a system. It is particularly useful for detecting unusual network patterns or connections to suspicious endpoints, playing a crucial role in intrusion detection and network behavior analysis.

Issues

While NetTCPConnect offers detailed information about connection attempts, it's important to consider the volume of data generated, especially in systems with high network activity. Efficient data handling and analysis are key to leveraging the full potential of this event without overwhelming system resources or analysts.

  • net_flow_tcp_begin - similar event, based on network packet flows.
  • security_socket_connect

This document was automatically generated by OpenAI and reviewed by a Human.